...
This section will discuss what need to be in place before starting an implementation of a ISMS.
4. Context of the context of the organisation
4.1 Understanding the organization and its context
Determine external and internal issues that are relevant to the intended outcome of its ISMS.
4.2 Understanding the needs and expectations of interested parties
What interested parties are relevant to the ISMS and what are their requirements.
4.3 Determining the scope of the ISMS
The boundaries and applicability of the ISMS will determine the scope of the ISMS. The scope shall be available as documented information.
4.4 ISMS - Information Security Management System
The organization shall establish, implement, maintain and continually improve an information security management system, in accordance
with the requirements of this International Standard.
5. Leadership
5.1 Leadership and commitment
The top management shall committ to the ISMS by;
a) ensuring the information security policy;
b) ensuring the integration of the ISMS requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to
the ISMS requirements;
e) ensuring that the ISMS achieves its goals;
f) directing and supporting persons to contribute to the effectiveness of ISMS;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
5.2 Policy
...
When looking at security management the ISO 27001 comes in view. This standard describes all the aspects of security management that need to be in place when an organization wants to be certified for information security management. Though this standard covers all aspects of security management and therefore provides a good guidance, it is not a comfortable standard for implementing quality management processes. You would prefer to integrate quality management closely into your working processen, both operational and managerial. The schematic below illustrates how this can be done in a way that is both complete in terms of the ISO standard and recognizable for day-to-day operations. The upper part of the schematic (blue blobs) specifies the company wide processes. in some organizations the responsibility for information security for products and services is distributed in the organization to products teams, departments or business line. That is illustrated in the lower part (light yellow blobs) of the schematic. If you use a centralised approach for information security you only have to look at the upper part of the schematic. The chapters of ISO27001 can be mapped on this schematics. (illustrated inn gteh second sheet of the set linked to below)
| View file | ||||
|---|---|---|---|---|
|
All items in this schematic are detailed out in separate pages. Details of the mapping on ISO 27001 can also be added on these pages.
- Information security Policy
- Risk Analysis
- Controls
- Organization wide controls
- Baseline
- Annual Planning
- Operate: Implementation of controls
- Performance evaluation: audits and benchmarks
The information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.
5.3 Organisational roles, responsibilities and authorities
Top management shall ensure rolebased and communicated roles and authorities to information
security.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this
International Standard; and
b) reporting on the performance of the information security management system to top management.
6. Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7. Support
7.1 Rescources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8. Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
The last two chapters, 9, performance evaluation and 10, Improvement will be discussed in the group later.
Meeting notes
The minutes of the SIG-ISM WG2 meetings are confidential - the viewing is restricted to the SIG-ISM mailing list members only.
...
SOA
SOA_Template_UNINETT_Engelsk.xlsx
...